HSCC Legacy Medical Device Task Group Aims to Mitigate Cyber Threats

May 13, 2020 By Robert J. Kerwin

This article is reprinted with permission of DOTmed HealthCare Business News and can be read online in its original format at: 

In April, the FBI reported a global increase in malicious cyberactivity targeting U.S. Healthcare providers, noting that the cyberactivity was exploiting fear derived from the COVID-19 pandemic, including targeted phishing attempts with subject lines and content related to COVID-19. This increase in cyberactivity is part of a general rise in cyber threats and data breaches as reported by HHS’s Civil Rights Division. In light of the increased incidence of healthcare cybersecurity issues, it is heartening to know that efforts are ongoing to protect medical devices. 

A public-private partnership of companies, nonprofits and industry associations known as the Healthcare & Public Health Sector Coordinating Councils (HSCC) has formed a Legacy Medical Device Task Group to develop planning guidance to mitigate cyber and physical risks. HSCC is pursuing this initiative in the wake of the Cybersecurity Act of 2015 and presidential executive order [PPD-21], which directed the secretary of Homeland Security, among others, to undertake public-private engagements with critical infrastructure sectors to identify cyber and 

physical risks for security and resiliency. HSCC has compiled impressive deliverables in its short existence, including a technical volume 1 and volume 2 for small and medium/large hospitals. 

Legacy medical devices have been recognized as particularly vulnerable to cyber threats as cybersecurity for these devices may not have been considered in the initial device design. Replacing technologies is not always feasible. This challenge will no doubt be compounded by the financial challenges hospitals are experiencing as they resume non-urgent care. 

Cybersecurity risk-benefit analyses will likely be weighed with the primary goal of patient safety. An effort will be underway to identify compensating controls which may be able to provide a security baseline level of protection. This effort may include mechanisms for updates and patches to be maintained over a device’s clinical useful life. Topics could include whitelisting, hardening and micro-segmenting a network. 

One of the leads in the Legacy Medical Device Task Group, Mike Powers, a clinical engineer from Delaware, summarized his hope for the Task Group by noting his wish to help “create an environment or platform where devices which are currently unsupported, can, in fact, become supported”. Reacting to the launch of the Task Group, West Virginia based Radon Medical Imaging Corporation’s president Tim Martin commented, “We are interested in the takeaways. We are committed to cybersecurity. It is on our mind today and every day.” 

There were also expressions of caution concerning the Task Group endeavors. IAMERS president Diana Upton offered, “we are hearing increased reports that when cyber patches and upgrades are being applied, some are not able to continue maintenance, as the software permits only the original manufacturer thereafter to undertake service. Given the frequency of patches, the system interdependencies and the number of modalities to be supported, we hope cybersecurity support solutions could be safely developed which still give hospitals cost- effective choices.” 

The Task Group members include an array of representatives from industry manufacturers, HDOs, trade associations and other stakeholders. We await their recommendations for greater cybersecurity for legacy devices. 

About the author: Robert J. Kerwin is general counsel for IAMERS, the International Association of Medical Equipment Remarketers and Servicers, and a member of the HSCC Legacy Medical Device Task Group. 


With rumors of a possible renewed push for Congressional legislation, IAMERS president Diana Upton and general counsel Robert Kerwin attended the AAMI Annual Meeting during the first week of June 2018. Their attendance is  part of IAMERS’ efforts to reduce the fear-mongering and  to get out the message of independent servicers for safe patient oriented servicing.

It was clear from the positive reactions of ISOs and HTM professionals to Mr. Kerwin’s remarks on behalf of IAMERS that many were disappointed with the efforts of some representing the manufacturing community to downplay the FDA report which found there to be no need for further regulation and which characterized third party servicing as critical to the healthcare ecosystem.   Responding to the  enthusiastic support of many in the AAMI meeting, he spoke 3 times regarding the FDA report on 3rd party service and what comes next. “Unfortunately we still hear that the manufacturers and their trade associations are pressing Congressional leaders to pass legislation regulating servicing and seeming  to be characterizing the FDA’s conclusions as a ‘blindspot’. We do not think that the FDA report evidenced a blindspot. To the contrary, we feel the 27 page report  was a careful analysis of the empirical evidence that there is not a safety problem as suggested by some. We think this should be a time for collaboration not polarization as ISOs contribute successfully to  much needed multi-vendor program.”   Hospital personnel and clinical engineers embraced his comments and statements of President Upton  as many have the same access challenges that IAMERS servicers have.  Pictured here with Katelyn Bittleman of FDA (a principal contributor to the FDA report)  and former ACCE president Steve Grimes.  Also with Crothall Compliance Officer Sheila O’Donnell and Pat Fitzgerald, Executive Vice President  and General Manager of Richardson Electric  at the DOTmed breakfast symposium held at AAMI.

Medical device recalls reach historic levels in 2018 with software as leading cause

Medical device recalls reached record highs in the first three months of 2018 thanks to software complications that are likely to continue with the proliferation of high-tech devices.

Read more here.

Congress delays medical device tax for two years

WASHINGTON — Almost no one got everything they wanted out of the Monday deal to reopen the government — except perhaps medical device companies, who managed to fend off an industry-wide excise tax before the first payments were due.   The stopgap spending deal that was signed by President Trump on Monday included a two-year delay of the 2.3 percent tax, which was originally included in the Affordable Care Act to help pay for the law’s health insurance subsidies.

Read more here.

Page 1 of 3712345...102030...Last »